Bug 31673
| Summary: | lack of bounds check on string functions after getenv() call. | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Andrew R. Reiter <arr> |
| Component: | bin | Assignee: | arr |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 5.0-CURRENT | ||
| Hardware: | Any | ||
| OS: | Any | ||
Responsible Changed From-To: freebsd-bugs->arr Originator was punished to become a committer. State Changed From-To: open->closed Patch committed. Thanks (to self). |
Essentially, after a call to getenv() in which the code wishes to receive the data for the TMPDIR key, it either will do a sprintf or strcpy depending on whether or not a NULL was returned from getenv(). The sprintf() could be overflowed.. the strcpy more than likely not. More specifically the problem is: char path[MAXPATHLEN]; if (!first && !envtmp) { envtmp = getenv("TMPDIR"); first = 1; } if (envtmp) (void)sprintf(path, "%s/%s", envtmp, _NAME_ARTMP); else strcpy(path, _PATH_ARTMP); Fix: if (envtmp) - (void)sprintf(path, "%s/%s", envtmp, _NAME_ARTMP); + (void)snprintf(path, sizeof(path), "%s/%s", envtmp, + _NAME_ARTMP); else - strcpy(path, _PATH_ARTMP); + strlcpy(path, _PATH_ARTMP, sizeof(path)); sigfillset(&set); (void)sigprocmask(SIG_BLOCK, &set, &oset);--Wbzru9s1sOdvfkGdEa7ox8u3e0ppj8ufDMhuhEafU2q8mLbi Content-Type: text/plain; name="file.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="file.diff" Index: misc.c =================================================================== RCS file: /home/ncvs/src/usr.bin/ar/misc.c,v retrieving revision 1.7 diff -u -r1.7 misc.c --- misc.c 24 Jul 2001 14:04:20 -0000 1.7 +++ misc.c 31 Oct 2001 14:11:17 -0000 @@ -73,9 +73,10 @@ }